tv Homeland Security Secretary Kirstjen Nielsen on Elections Disinformation CSPAN October 5, 2018 12:38pm-1:08pm EDT
susan gerald. on line at cspan.org and on line at the c-span app. c-span. where history unfolds daily. in 1979, c-span was created as a public service by america's cable television companies. and today we continue to bring you unfiltered coverage of congress. the white house. the supreme court. and public policy events in washington, d.c. and around the country. c-span is brought to you by your cable or satellite provider. homeland security secretary kirstjen nielsen talked about the trump security strategy and helped local officials to secure their systems ahead of the 2016 elections. from the council forum, this is
20 minutes. good afternoon, everyone. what an incredible location, breathtaking view. madam secretary, it's such an honor to have you with us. i'm fred kempe, i'm president and ceo of the atlantic council, and i know everyone is looking forward to the keynote speaker so i'll keep my introduction brief. it's my honor to present kirstjen nielsen. she joined the homeland security in january 2014 as chief of
staff to general john kelly during his term as secretary. she later served as principal deputy white house chief of staff before being confirmed as dhs secretary in december 2017. earlier in her career, secretary nielsen served during the george w. bush administration as special assistant to the president and senior director for prevention preparedness and response at the white house homeland security council. and she also spent some time -- considerable time in the private sector focusing on cybersecurity. so she knows what she's talking about. the department of homeland security has been charged with the vitally important task of protecting u.s. elections, cy r cybersystems and critical infrastructure, fields with policymakers can have global implications. in this rapidly changing information environment, threatening management, collaboration and resilience are
urgently important. so i think i speak for the entire audience when i say we thank you for your public service and look forward to hearing more from you. just for the record, this is swedish house, but nielsen is actually danish. and she's part danish and part italian, right? the house nevertheless greets you as does the atlantic council. [ applause ] >> well, thank you, fred. it's a pleasure to be here with you all today. i want to first thank you all for participating in these types of events. it becomes more and more important, i think, and i'll talk a little bit about this in my speech, but for all of us to play a very integral role in understanding cyber threats and knowing what we can all do together to protect against them. i thank the atlantic council and the house of sweden for hosting
us. these events are very important so i appreciate your participation in taking them seriously. fred and i go back a bit. we've actually done a couple panels over the years on cybersecurity, in fact. a lot continues to change. i think anyone who gives this type of speech today, it will be different tomorrow and the next day if you can keep up with all the different innovations and types of attacks. i certainly don't have to tell anyone in this room, though, that threats against our nation in cyberspace are many, and they are multiplying quickly. i know you talked a lot about this the last couple days. our adversaries are weaponizing the technology that has made our world faster, the same technology that makes us more innovative, the same technology that makes us more interconnected than ever before. in the past 18 months alone, we have witnessed north korea spread to more than 51 countries which held people hostage and brought factories to a halt. we also saw it compromise our
energy grid and infiltrating petroware which became one of the most affected cyber threats in history and how we can prepare in that fashion for such attacks. the headlines seem never-ending, and i don't think they're going to stop. i think we'll see more and more top front page news, unfortunately, with respect to cyberattacks. as we speak, hostile groups are probing political systems worldwide searching for vulnerabilities. without aggressive action on our part to secure our networks, it's only a matter of time before i believe we get hit and get hit hard in the homeland. what worries me in this conversation is not what has been done but what they have the capability to do. here i think we have changed how we view this in an important way. we no longer assume because a nation state or criminal organization has the capability, they will not use it. we are changing to a posture of assuming that if the capability exists, it could, in fact, be
used against us and we have to prepare accordingly. two weeks ago the president released the national cyber strategy. this is the first comprehensive national strategy we've ever had and the first cybersecurity related strategy we've ever had in about 15 years. let's talk a little about what's changed in the last 15 years and what that means for our posture. first of all, who here just out of pure coincidence 15 years ago was working in the cyber realm? i think that's consistent with most of us in national security homeland security. when i was at the homeland security council 15 years ago, i remember we would all do top ten lists of top ten things you're concerned about in the homeland post-911 and cyber was very careful about getting on the list. we had just created the first policy coordinating committee for the inner agency around 2004, 2005, and it was very difficult to have cyber be part of a national conversation, part of top of mind, because at the
time we were so concerned about terrorists and the physical attacks. we also at that time, if we were concerned about cyber, we were concerned about the confidentiality of data. today because so many of our critical systems rely on information, i am very concerned about the availability of that data to make our systems work or even the integrity of that data and we'll talk about that in a minute when i talk about election security. but now it's not so much that somebody can take your data, it's that they can prevent you from using it or they can change it in a way that's difficult for you to know what the real data is. 15 years ago, an aggressive cyberattack might have defaced a public website with some sort of joke or some sort of banner for some sort of activism. but today as we've seen, cyberattacks can manifest in actual physical consequences and they are making cyber weapons
destruct which makes much more complicated cyber defenses on our side. in fact, 15 years ago, the physical world and the virtual world were still quite separate. today these worlds have collided and we've seen how cyberattacks can cause actual physical effects. cyber threats have not kept up with this, and we have to, as a national community, begin to have more conversation about what is prohibited, what is allowed, what is expected when it comes to cyber activity. 15 years ago, we still assumed we could prevent cyberattacks. but now we recognize that we must move toward resilience and redundan redundancy. it's no longer a question of if or when but how long can committee withstand an attack, and perhaps how well can we innovate while under attack, giving you an idea that that attack surface will constantly be manipulated. so what do we do in the face of that? 15 years ago, the attack surface, in fact, was quite
small. large attacks at the time disrupted perhaps hundreds of thousands of devices at most. but today's attacks, as we've seen, can result in billions of dollars of disruptions or damage in a matter of hours. 15 years ago, cyber was probably the problem of the i.t. guy or gal who you might never have met until you got that spinning wheel of death on your e-mail and ask if you want to become friends with them, but now if a board doesn't have that at the top of the agenda, it's unlikely your team will continue to be competitive. it requires a person to be sitting at a computer with internet access today, the internet of everything allows all of us to be on line at all times everywhere. what this means is we're all potentially vulnerable to attack wherever we go, everything we do because of our smart devices or wearable device that some of us have digestible technology.
so today's cyberspace can be seen as a cyberattack, it can be a weapon of attack, and it can be critical of ransomware. this has occurred in the last decade and a half, and i think the president and the interagency have very important steps of moving forward for the cyber strategy. the president's strategy complements us at dhs that we implemented earlier this year, and we want to focus more on systemic risk. we'll also talk about that a little bit more. securing federal updates, countering cybercrime and of course election security. this is another area where if you had asked anybody in the field 15 years ago, the department of homeland security would be focused on election security. i don't know that you would have received an affirmative
response. so aztec as technology grows, so, too, does our mission space to be able to protect americans, and with only a month until election day, our role in election security has never been more important. i know you had an opportunity, some of you, to hear from undersecretary chris krebs yesterday. i know he gave you specific information on how we're working to mitigate the threat. i want to just quickly touch on a few things that the administration is doing. what is our goal? our goal at the heart of it is just to ensure that every american has assurance that their vote is counted and their vote is counted correctly. those are two different parts of the equation but they're equally important. unfortunately, there's been concern amongst many of us since the 2016 election when we did see the clear targeting of our elections by the russian government. there is a lot of confusion of what happened. at the end of the day, it appeared that votes were not altered. however, what we did see was
extraordinarily concerning. dhs initially identified 21 states, as you all know, that experienced remote targeting of state networks, mainly in the form of scanning or, in layman's terms, checking to see if any a were open, what the system looks like potentially to understand for a future attack. and all of this appeared to be an attempt to exploit vulnerabilities in our election infrastructure. we do now believe that all 50 states were probably likely targeted in the same way. a form of research, understanding systems, what the possibilities are. so ultimately, and we want to be clear on this, and i'm sure chris was yesterday, any attempt whether it's successful or unsuccessful to interfere in our elections is an attack on our democracy. it's unacceptable and we'll take it very seriously. today we do know that our upcoming election is a potential target. our adversaries have demonstrated capability, the will. i know you've spent a lot of
time talking about misinformation campaigns in influence in the form of information. i won't touch on that today. only to say that we all need to be intellectually curious and make sure the news that we read is, in fact, from a legitimate source and then make our own determination as to the validity of the information. the midterms are being watched closely not just because of the candidates or politics but because of this security. so we're working closely with state and locals to protect their systems. state and locals are constitutionally charged with the responsibility to administer elections. we're providing information and intelligence, no-cost technical assistance, response planning and we've been working on clearances to make sure that those that have the responsibility to operate the systems have the ability to receive the information. but we're also not letting that stand in our way. so if we have information, we're doing one day read-ins to make sure the people who need it can receive that information.
just yesterday we provided a classified brief to some of the election sector vendors on the threats we're watching and we'll continue to do that in the weeks to come. in 2016, there really wasn't a clear process for how we share this information. this is where government can seem very cumbersome perhaps. but setting up the right governance structure and the right roles and rules in the road are very important. so in collaboration with our state and local partners we've set up an election infrastructure center. it's providing timely and actual information. we have all 50 states participating and over 1,100 local jurisdictions. this is the fastest growing isac for those of you familiar with them that we've ever had in just the six months since it's been stood up. so we're tailoring information, getting it out to those who need it. just as we do in other sectors. but we're also helping to -- helping state and locals understand their networks from an intrusion perspective.
so we have albert sensors deployed. about 94 deployed to date but to put that in perspective, the midterms, more than 90% of registered voters will live in an area whose infrastructure is protected by an albert sensor. in addition to what we're doing at dhs, the president just issued an executive order to protect our elections from the foreign influence. and i do think this is a situation where making clear there will be consequences serves as a deterrent and makes clear how serious we take this in the international community. let's talk a little more about the strategy quickly. when you look at our strategy and the president's strategy you'll see words such as collective partnership, collaboration. it's not a government only effort. this should be clear to everybody now how important the public/private partnership is, but cybersecurity itself is truly a team sport. we have a responsibility to do everything in our power to protect vital systems, but we know that we can't do it alone.
in july we hosted the first ever national cybersecurity summit which brought together senior most cybersecurity officials in the country. some of you all looking out in the audience may have joined us there. what we try to do is to restart the public/private partnership to make sure that both parts of the equation are getting benefit from it which is always the core of any partnership. and we really tried to focus on essential functions that cross-sector collaboration. how we can do it better. as part of that, we announced the creation of the national risk management center and at the core of that, what we are looking to do is focus on that systemic layer. where are the single points of failure in our collective infrastructure. where are the single -- where are the concentrated dependencies and interdetendencez ainterdetendens and how will they promulgate. so a key mission for the center is working with industry, other government agencies. we look forward to telling you more about that.
we're working on some 90-day sprints and we'll have more to announce as we identify the critical functions on which we will focus our efforts. but most importantly, the center is driven by industry needs, and we look forward to learning from them and understanding how to help them better given their unique operational environments. so why am i here today? first of all, you're having an event. second of all, because october is national cybersecurity awareness month. last month was national preparedness month. we spent a lot of time at dhs last month talking about the various hazards that we work with communities to prepare for. but cyber is also one of those where it does take all of us to play a role. cyber truly today is an area where if we prepare individually, we'll all fail collectively. and that's because we're all interconnected. so my risk is your risk. your risk is my risk and we have to find a way to collectively protect. there are actions each of us can take. this is the 15th year of this
month. i hope it will be the greatest in terms of actions we all take together. one way to do it, to help is to educate americans on the simple steps that they can follow. i think everyone here has probably been told to have a password and have a password that's strong. kn no your password should not be pa password or password with a capital "p." until we can find a way to universally strengthen, passwords remain core. you must have a strong password. that should be something we all think about every day and encourage others to do. we also want to make sure that we patch. we can't say that enough but there's a reason why updates are sent out. and that is to reduce that attack surface. so it's important for us all to do that. it's important for us to understand what we're connected to. and to take very seriously the data that we put online. you should think of that as part
of yourself that you're sharing. be very clear who you're sharing it with and why and what you expect them to do with it. ask questions. i know this privacy disclosures can go on and on and on like the instructions to set up any kind of appliance in your house but they're worth reading at least one time. they'll become familiar to you. but they are important. we're also working very hard on the workforce. so dhs, we're looking for ways in which we can better hire, better retain, better compensate those professionals in this field. we're looking at creative ways to do that. and we will continue to work with our inner agency partners on that. so other than that, i wanted to tell you one sort of public service announcement really quickly before we go into final call to action. at 2:18 today, so shortly, we will do the first national test of our wireless emergency alert system. this is another way that we are trying to leverage the positive
side of technology, but anyone who has a smartphone should get an alert today. this alert system would be used only at time of a major consequential national emergency, one that we have not ever used before. one that we have not exercised before. so 2:18 your phone should do something. we'll see what happens. we've not ever tried it before. so in closing, we really look to each and every one of you to help be part of the strong links in the puzzle to take actions on your smartphones, on your computers, at our businesses, within your communities. make cybersecurity part of what you do every day. protect your information. do the basic what we call hygiene necessary. we have a lot of resources on our website. i encourage you to look at those and make sure that you implement them in your daily life. other than that, i just want to thank the atlantic council again for hosting us. we really look forward to partnering with many of you.
we continue to expand our list in doing that. so feel free to reach out to us. we're always looking for new and innovative ways to do the collective defense. you'll see us taking a lot of aggressive action not only to make sure we're using whole of government to provide consequences, to nefarious action but to make sure collectively we're identifying what is of value and what we can do to protect it. so thank you all for having me. i appreciate you taking the time to take part in this and hopefully you'll have time at lunch to enjoy the beautiful view out here as i'm looking out to the left. thank you very much. >> thank you, madam secretary. so at 2:18 when you get your ale alert, that means you're two minutes away from your last session today. we caugut off some of the sessi early. please go back to the workshops, wrap up. lunch starts at 1:30. take your time.
thank you. live now to the trump international hotel here in washington. where the group women for trump is holding its first women for america first summit. included speakers are president trump's 2020 seniorical pain adviser katrina pierson and fox news' gregg jarrett. this is live coverage on c-span3.